You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tapestry.apache.org by "Robert Andersson (Commented) (JIRA)" <ji...@apache.org> on 2011/11/14 16:28:51 UTC

[jira] [Commented] (TAP5-53) Mechanism to send pointers to serialized data to the client, not the data itself

    [ https://issues.apache.org/jira/browse/TAP5-53?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13149686#comment-13149686 ] 

Robert Andersson commented on TAP5-53:
--------------------------------------

This issue came up during a security review of the Tapestry based project I'm currently working on.

I have to agree with Josh Canfield over, why reinvent the wheel, what's wrong with storing all of this in the session?
                
> Mechanism to send pointers to serialized data to the client, not the data itself
> --------------------------------------------------------------------------------
>
>                 Key: TAP5-53
>                 URL: https://issues.apache.org/jira/browse/TAP5-53
>             Project: Tapestry 5
>          Issue Type: New Feature
>    Affects Versions: 5.0.15
>            Reporter: Howard M. Lewis Ship
>
> Tapestry has the capability to store much data on the client, whether it is persisted page fields, or Form component action data.  This presents a couple of problems; first, it inflates the size of the rendered HTML stream.  Second, it is a potential security issue, since a hyper-intelligent black hat might find a way to change such data before returning it.
> What if Tapestry stored the associated bytestreams on the server, and provided, in the HTML, just a relatively short pointer (a string id that points to the correct bytestream) to the stream?
> A small amount of additional data on the server side could be used to authenticate the pointer, using the user's session id (if a session exists) and host ip.
> Unreferenced data would be periodically purged.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira